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overview 

• introduction 

• collecting fingerprint data 

• attacking the communication 

• attacking the templates 

• attacks using the sensor 
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biometric systems - types of attacks 



Sensor 




attacking the data 

- communication data (1) 

- reference data (2) 

attacks using the sensor (3) 



parts of biometric systems 

by Lisa Thalheim 



attacking the software (4) 

- matcher 

- threshold 



sensor types 

• capacitive 

• optical 

• electrical 

• thermal 



• touching 

• sweeping 
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array of capacitors sweep sensor 
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collecting the data 
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visualisation of latent prints on glossy surfaces 


• coloured or magnetic 










powder "Jt 








• III !■ n 










visualisation with coloured powder 


• cyanoacrylate M ^ 7s 




Ifi 


visualisation with cyanoacrylate 


• vacuum metal deposition 






visualisation with sputtered gold 
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visualisation of latent prints on paper 



amino acid indicator 

- Ninhydrin 

- Iodide 



visualisation with 
Ninhydrin 



thermal decomposition of grease 



visualisation of grease 
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Hardware 

- USB-Agent / USB Tracker 

- directly connected to the sensor 

- GNU-Radio 




USB-Agent 



www.hitex.com 



• Software 

- usbsnoop 

- sniffusb 

- usbmon 



364 packets USB Wid_0681 8cPid_0005&Rev_021 08cMi_00 



W Relative Timestamps 



I S... | Dir 



| E... | Time | Function 



| Data 



47 ??? down 

47 ??? up 

48 ??? down 
48 ??? up 



42.060 BULKJDRJNTE... 
42.080 BULKJDRJNTE... 
42.080 BULKJDRJNTE... 
42.090 BULKJDRJNTE... 
72) 



Result | 



5a ac 5b a9 aa ab a7 ad 



af af af ad ad ac ae af 

URB Header (length: 
SequenceNumber : 4 8 

Function: 0009 (BULKJDR_INTERRUPT_TRANSFER) 
Trans f er Flags : 0x00000001 



Trans f 

0000 

0010 

0020 

0030 

0040 

0050 

0060 

0070 

0080 

0090 

OOaO 

OObO 

OOcO 

OOdO 

OOeO 

OOf 0 

0100 

0110 

0120 

0130 

0140 

0150 

0160 



erBuf f er : 
af af af . 
af ad af . 
a8 ae ab . 
a3 00 02 
7b 8f 9b 
ab a5 af . 
ab bO ab 
a2 ab ac ', 
ae ac bl ! 
af ac ab ■ 
ad ae b2 . 
a6 ab 00 , 
ac ae ac 
af aa ad . 
aa af af . 
ae ae ae . 
af af bO , 
a5 a4 00 
89 85 99 , 
bO ad ad . 
a4 a3 bO , 
a5 9f aO , 
bO ae ae ', 



6) length 

= 0 0 ad af 

E ac ae bO 

f a6 00 a4 

3 b3 ad ad 

3 ae ae bO 

1 9d a8 a5 
z aa ac ab 
z ae ad af 
D ad 99 99 
B a6 a8 ae 
b ad a9 ac 
9 a6 9c ac 

2 a9 ad al 

2 ae ac ac 
E ad 00 ac 
D af ad ae 

4 af ae 00 

3 ae b3 af 
D ae ad ae 
E ab a7 ad 
D ae af ae 
1 ad ae ad 
D bl af ab 



0x00000000 
0x00000000 



J 



EE32SSSI 



Snpys bridge is present and accessible (0 out of 32 entries used). 



VI D. ■■'FID 



USB\ROOTJHUB,USB\OTHERJD 
USB\ROOTJHUB,USB\OTHERJD 
USB\ROOTJHUB,USB\OTHERJD 
USB Wid_0451 &Pid_203G8cRev_01 01 ,.. 
USB Wid_0483!<Pid_1 3078cRev_01 70,.. 
USBWidJBac&PidJ 3008cRev_1 001 ,.. 
USB Wid_05e3!ePid_01 00!eRev_01 00,.. 
USB Wid_05e3&Pid_01 008<Rev_01 00,.. 
USBWid_0681 iPid_0005«.Rev_021 0... 
USB Wid_0G81 8cPid_OO058cRev_O21 0... 
USB Wid_0681 &Pid_0005iRev_021 0... 
USB Wid_0681 iPid_0005«eRev_021 0... 
USB Wid_0681 8cPidJD005&RevJD21 0,.. 
USB Wid_0681 &Pid_0005«cRev_021 0,.. 
USB Wid_06a5iPid_d001 JcRev_01 00,.. 
USBWid_06a5&Pid_d001 8<Rev_01 00,.. 
USB Wid_06a5icPid_d001 &Rev_01 00,.. 



| Snooper i... | Description 



USB-Root-Hub 
USB -Root-Hub 
USB-Root-Hub 
Standard-USB-Hub 
USB-Massenspeicher 
USB-Massenspeicher 
Finger Chip with Genesys driver 
USB Device 
ID Mouse Sensordevice 
ID Mouse Sensordevice 
USB-HID (Human Interface Device) I 
USB-HID (Human Interface Device) | 
USB-Verbundgerat 
USB-Verbundgerat 
Panasonic Authenticam 
USB Device 
Panasonic Authenticam 



usbsnoop 
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data analysis 

• collecting public information 

• analysing the sensor 



type of data 

- raw vs. templates 

encryption 
header 

- timestamps 

- checksums 



USB-sniff of the Siemens ID Mouse 
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iffing t 


he data @ 


thinkpad sem 




- hardware: built-in sensor 

- software: encrypted data (TPM?) 

external version of the sensor 
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templates 

• localisation 

- in the filesystem (filemon) 

- in the registry (regmon) 

• analysing 

- template to user correlation 

- used algorithms 

- checksums 

- raw images 
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templates @ thinkpad sensor 




18 



ctlcntr.exe: 4063 
ctlcntr.exe: 4063 
^ winlogon. exe: G34 
^ winlogon.exe: 634 



Q ueryValue H KLM \S 0 FT WAR E \Protector S uite Q L\1 . 0\D e viceB io 

Q ueryValue H KLM \S D FT WAR E \policies\f ingerprint\convinientM ode 

QueryValue HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\00000407 

QueryValue H KLM \S YS T E M \ControlS etODI \ContrQl\Nls\Language GroupsM 



winlogon.exe: 684 DpenKey H KLM \S 0 FT WAR E Wirtual Token\Passport\2.0\LocalPassport 



winlogon.exe: 634 
winlogon.exe: 634 
winlogon.exe: 634 
winlogon.exe: 634 



Query Key 
Enumerate. 
CloseKey 
□ penKey 



H KLM \S 0 FT WAR E Wirtual T oken\Passport\2. 0\LocalPassport 
H KLM \5 D FT WAR E Wirtual T oken\Passport\2. 0\LocalPasspcrt 
H KLM \5 D FT WAR E Wirtual T oken\Passport\2. 0\LocalPasspcrt 
H KLM \5 vstem\CurrentControlS et\Control\ComputerN ame 



J L-- - 1 t JL C. 




- HKE Y_LOC AL_M ACHINE\S OFT WARE\ Virtual 
Token\Pas sport\2 . 0 

• \LocalPassport\User <Username> 

• \LocalPassportBio 



C:\WINDOWS\system32\config\SOFTWARE 
template starts with: 00 13 48 5b [01 02 
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attacking the communication 
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attacking the communication 



replaying sniffed packages 



sniffing 



replaying 



Sen serf 



Processing 
unit 



Sensor 



Processing 
unit 



Attacker 



Attacker 



replay attack 



by Lisa Thalheim 



inserting self-generated data 

- analyse template data 

- attacking the software 



PACSEC - 2006 



attacking the templates 
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attacking the templates 

• adding or deleting a template 

• two people matching one template 

• changing template to person correlation 

• attacking the software using a manipulated 
template 



■ 



read the template in the registry 



add your own fingerprint to an existing template 



write back to the registry (biometric worm) 



PACSEC - 2006 



attacks using the sensor 
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latent prints 1 

• reactivating latent prints on touch sensors 

- capacitive: aspirate, graphite 

- optical: coloured powder 



countermeasures 

- checking minutia position of 
the last login 




reactivating latent prints 



http://www.heise.de/ct/02/! 1/1 14/ 
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latent prints 2 

• using latent prints (not on the sensor) 

- graphite or coloured powder on adhesive 
tape 

• not for sweeping sensors 



graphite powder on adhesive tape 

http://www.heise.de/ct/02/! 1/114/ 
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making a dummy finger 

• gelatine, silicone 

• wood glue 




making a dummy finger 



enhancing with graphite spray 



PACSEC - 2006 





aking a dummy fingers @ thinkpad sens- 


•73 1 





etching an optical PCB 



aluminium foil on 
adhesive tape 




transfer the fingerprint onto 
the foil 
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life check 

• pulse 

- IR illuminated bloodstream 

- deformation of the ridges 

• property of the skin 

- electrical and thermal conductivity 

- colour 

• absorption of the blood 

• sweat 
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hacked sensors (systems) 

• capacitive 

- Infineon (Siemens ID mouse) 

- UPEK (IBM Thinkpads) 

• optical 

- Dermalog 

- U.are.U (Microsoft) 

- Identix 

• thermical 

- Atmel (ekey, iPAQ) 

• electrical 

- Authentec (Medion) 
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conclusion 

• latent prints left on nearly every surface 

• prints are easy to collect 

• nearly all tested systems could be fooled with 
home-made dummy finger 

• fall-back passwords still needed 

• Don't use fingerprint recognition systems for 
security relevant applications! 
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Thank you. 



starbug@biometrische-systeme.org 
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preventing the recognition 
• superglue J 



hard work :) 



etching 



scorching 

remove with emery paper 



transplantation 



